Andrés Sepúlveda rigged elections throughout Latin America for almost a decade. He tells his story for the first time.
According to Sepúlveda, his payments were made in cash, half upfront. When he traveled, he used a fake passport and stayed alone in a hotel, far from campaign staff. No one could bring a smartphone or camera into his room.
Most jobs were initiated in person. Sepúlveda says Rendón would give him a piece of paper with target names, e-mail addresses, and phone numbers. Sepúlveda would take the note to his hotel, enter the data into an encrypted file, then burn the page or flush it down the toilet. If Rendón needed to send an e-mail, he used coded language. To “caress” meant to attack; to “listen to music” meant to intercept a target’s phone calls.
Rendón and Sepúlveda took pains not to be seen together. They communicated over encrypted phones, which they replaced every two months. Sepúlveda says he sent daily progress reports and intelligence briefings from throwaway e-mail accounts to a go-between in Rendón’s consulting firm.
Each job ended with a specific, color-coded destruct sequence. On election day, Sepúlveda would purge all data classified as “red.” Those were files that could send him and his handlers to prison: intercepted phone calls and e-mails, lists of hacking victims, and confidential briefings he prepared for the campaigns. All phones, hard drives, flash drives, and computer servers were physically destroyed. Less-sensitive “yellow” data—travel schedules, salary spreadsheets, fundraising plans—were saved to an encrypted thumb drive and given to the campaigns for one final review. A week later it, too, would be destroyed.
For most jobs, Sepúlveda assembled a crew and operated out of rental homes and apartments in Bogotá. He had a rotating group of 7 to 15 hackers brought in from across Latin America, drawing on the various regions’ specialties. Brazilians, in his view, develop the best malware. Venezuelans and Ecuadoreans are superb at scanning systems and software for vulnerabilities. Argentines are mobile intercept artists. Mexicans are masterly hackers in general but talk too much. Sepúlveda used them only in emergencies.
The assignments lasted anywhere from a few days to several months. In Honduras, Sepúlveda defended the communications and computer systems of presidential candidate Porfirio Lobo Sosa from hackers employed by his competitors. In Guatemala, he digitally eavesdropped on six political and business figures, and says he delivered the data to Rendón on encrypted flash drives at dead drops. (Sepúlveda says it was a small job for a client of Rendón’s who has ties to the right-wing National Advancement Party, or PAN. The PAN says it never hired Rendón and has no knowledge of any of his claimed activities.) In Nicaragua in 2011, Sepúlveda attacked Ortega, who was running for his third presidential term. In one of the rare jobs in which he was working for a client other than Rendón, he broke into the e-mail account of Rosario Murillo, Ortega’s wife and the government’s chief spokeswoman, and stole a trove of personal and government secrets.
In Venezuela in 2012, the team abandoned its usual caution, animated by disgust with Chávez. With Chávez running for his fourth term, Sepúlveda posted an anonymized YouTube clip of himself rifling through the e-mail of one of the most powerful people in Venezuela, Diosdado Cabello, then president of the National Assembly. He also went outside his tight circle of trusted hackers and rallied Anonymous, the hacktivist group, to attack Chávez’s website.
After Sepúlveda hacked Cabello’s Twitter account, Rendón seemed to congratulate him. “Eres noticia :)”—you’re news—he wrote in a Sept. 9, 2012, e-mail, linking to a story about the breach. (Rendón says he never sent such an e-mail.) Sepúlveda provided screen shots of a dozen e-mails, and many of the original e-mails, showing that from November 2011 to September 2012 Sepúlveda sent long lists of government websites he hacked for various campaigns to a senior member of Rendón’s consulting firm, lacing them with hacker slang (“Owned!” read one). Two weeks before Venezuela’s presidential election, Sepúlveda sent screen shots showing how he’d hacked Chávez’s website and could turn it on and off at will.
Chávez won but died five months later of cancer, triggering an emergency election, won by Nicolás Maduro. The day before Maduro claimed victory, Sepúlveda hacked his Twitter account and posted allegations of election fraud. Blaming “conspiracy hackings from abroad,” the government of Venezuela disabled the Internet across the entire country for 20 minutes.